US-CERT: Stop using your remotely exploitable Netgear routers

A flaw in Netgear routers R7000, R8000 and R6400 can easily be remotely exploited. US-CERT advises discontinuing use unless Netgear issues a fix. There's a way to test if your router is vulnerable and an unofficial temporary fix.

Netgear

Netgear router owners, I hope you have a spare router—at least those of you with remotely exploitable models—since US-CERT recommended discontinuing use of router models that are vulnerable to arbitrary command injection.

Which models? Right now it looks like Netgear R7000, R6400 and R8000 routers, but there may be more. Should you really take this seriously and unplug your router? You betcha, since US-CERT said it is “trivial” to exploit this vulnerability. Visit a booby-trapped page, and whammo! An attacker would be saying hello to root privileges on your router.

An exploit, which was released on Exploit Database, was published on Dec. 7. Netgear has yet to issue new firmware to patch the flaw in its vulnerable routers. There is a way to test if your router is vulnerable and even a non-official temporary fix you can try if tossing out your router is not an option.

US-CERT advised discontinue use of vulnerable routers

On Friday, Dec. 9, US-CERT (Computer Emergency Readiness Team) published a vulnerability advisory about Netgear routers R7000 and R6400. Since then, Reddit user noxlator said the R8000 is also vulnerable and US-CERT updated the advisory to reflect that information.

US-CERT warned:

Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted website, a remote attacker may execute arbitrary commands with root privileges on affected routers.

…

This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 1.0.3.4_1.1.2, is vulnerable. Other models may also be affected.

I know you don’t want to join the ranks of insecure router owners, since the devices are frequently abused, such as by Mirai malware, and added to IoT botnets to launch massive DDoS attacks. Since Netgear has released no fix and US-CERT currently does not have a solution to the problem, US-CERT advised: “Discontinue use.”

Test to see if your Netgear router is vulnerable

The command injection vulnerability was discovered by a Twitter user going by Acew0rm. He has since posted a video that explains how you can test to see if your Netgear router is remotely exploitable. You can also use his code on GitHub and hope you don’t see the message: “You have been pwned.”

You may have noticed that Acew0rm said he didn’t expect news of this vulnerability to grow so big. It seems like Netgear sure didn’t, since the company was told about the flaw four months ago. Let’s hope any official statement by the company doesn’t include insincere platitudes such as your security is important to Netgear.

Temporary fix

If you don’t have spare routers just laying around in case of an emergency such as your router potentially being pwned and added to an IoT botnet, then you might want to try a “temporary fix” provided by Bas.

Bas suggested:

1. (optional) Verify that your router is affected by going to this URL:

http://[router-address]/cgi-bin/;uname$IFS-a

If that shows you anything but an error (or an empty page), you’re affected.

2. Point your browser to the following URL to terminate the web server process (which facilitates the vulnerability) on your router:

http://[router-address]/cgi-bin/;killall$IFS'httpd'

3. (optional) Verify that the URL in step (1) is no longer accessible.

The temporary fix uses the vulnerability to stop the router’s web server, meaning you won’t be able to access router settings via your browser, yet the router will keep functioning. It’s nothing permanent as a simple reboot will return your Netgear router to its old vulnerable state.